Part 2 of our article series, Principal Consultant Misha Dorman continues with his latest insights on Passwords.
Almost all online services use passwords to authenticate users. As we saw in part 1, users left to their own devices will tend to choose weak passwords.
To try to stop users from choosing such easy-to-guess passwords most sites use a combination of password complexity rules – “use mixed case and include at least one number” – and length requirements.
Password Complexity Rules
So we prevent users from creating such very simple passwords by forcing them to create a reasonably long password which uses multiple character sets. Combined with automatic account lock-outs after a small number of failed login attempts, and keeping the passwords safe and secure within our systems, we would seem to have effectively prevented attackers from guessing our users’ passwords.
With only 5 or 10 attempts to guess each password, an attacker would have to get pretty lucky to guess something like “Gr4p3fru1t42!”, surely?
Re-cycling Good – Password Re-use Bad! Don’t reuse passwords
Unfortunately, not only do people tend to choose weak passwords – they also frequently use the same passwords on many different websites – whether it be their online banking or trading login, their gym membership, for a dating site or for a coupon club. Password usage data from LastPass, a password management service, indicates that, while over 90% of users “know” that using the same password for multiple accounts is more risky, two-thirds of them do so nevertheless. Analysis of real-life passwords suggests that 70+% of passwords may be re-used across multiple websites.
This frequent re-use of passwords means that an attacker doesn’t need to directly attack our website to crack our users’ passwords – they can instead first attack one of the many other websites which may have weaker security, where some of our users may have used the same password as they used on our website.
Once the attacker has a list of candidate usernames/email addresses and the corresponding passwords, they can try them against our site (and against lots of other high-value sites). While most won’t work, a few will, and our attacker will be in.
These sorts of attacks are very common – Verizon’s research suggests that the credentials are stolen in up to 35% of system breaches, and that guessed or stolen credentials are used in over 80% of attacks. Microsoft data on attacks shows more than 20 million attempts daily on their systems using such guessed or stolen credentials.
Those users who make use of password management software will normally use a distinct password for each website and are unlikely to be susceptible to this issue. Providing good support for password managers – and advising our users to adopt them – is one of the best ways systems designers and implementors can improve password security. Make sure that the design of the authentication system doesn’t either block their use either intentionally (e.g. “enter 3rd, 8th and 10th characters you’re your password”, or by attempting to block clipboard paste) or accidentally (e.g. different domains used for registration vs login).
However, for a variety of reasons, currently most users do not use password management software, or do not use the password generation features fully – and we have a duty to protect those users too.
Try, Try and Try Again
If just one of those “other” websites doesn’t automatically lock accounts after multiple incorrect attempts, an attacker could simply use a brute-force attack, making thousands of login requests per second with different guesses at the password. After a fortnight at that rate they would have been able to try over a billion different passwords.
We know that users typically create more complex passwords from a simple password by combining a few simple techniques: capitalising one letter (almost always the first), applying some “l33t-sp34k” letter substitutions and then perhaps adding in another digit or punctuation character (almost always at the end). Attackers know this too and include such passwords in their brute-force guesses.
One billion attempts are enough for the attacker to try all the top 100,000 passwords, plus pretty much any password that could be created from any common word using the common complexifying techniques. So, while “Gr4p3fru1t42!” looks “complicated” – and it almost certainly satisfies the complexity rules on our “choose your password” page – an attacker could well find that password in “only” a billion or so guesses against a poorly secured site.
Some password strength meters may give a false sense of security
Good password strength meters take this into account – marking passwords down if they can be generated using such techniques (try exploring the strength of different passwords – you may be surprised how weak some “keyboard smash” passwords are!).
However, many password meters don’t recognise such passwords as weak, leaving users with a false sense of security and possibly rather confused about whether their password is good or not. And of course, many registration and change password screens don’t include any password strength meter at all, leaving users to navigate the dangers of such weak passwords themselves.
Bulk Password Leaks
Making millions of login attempts against websites to guess passwords is a slow process. It must be repeated for each account, and the continual requests risk alerting the website’s operators to the fact that they are under attack.
Fortunately for attackers – and unfortunately for the rest of us – there is often a simpler way for them to gain access to passwords from poorly secured sites. All too many websites have security flaws which leave them wide open to attacks such as SQL Injection and Cross-Site Scripting, which can allow attackers to waltz in and steal passwords for hundreds of thousands of users at once.
Attackers actively probe websites anywhere on the internet, looking for such vulnerabilities. Once they have extracted the passwords and the corresponding usernames and/or email addresses, they are sold on the dark web. Because password re-use is so common, they can then be used to attack other websites. The website Have I Been Pwned?, which tracks these breaches, has recorded over 10 billion stolen account details as of March 2021.
The Weakest Link
Of course, we can (and should) design and test our own systems so that they don’t allow millions of login attempts, and we can penetration test our systems looking for weaknesses that allow hashes to be stolen. We can also improve the hash algorithms used to increase the time it takes to crack passwords if they are stolen.
But because users tend to re-use passwords, attackers can just grab password hashes from anywhere on the internet. So just improving our own systems’ security is not enough – attackers will find and target the weakest sites, and then use the passwords they obtain to attack other, better protected sites. Lists of hundreds of thousands or millions of “pre-cracked” passwords obtained from previous attacks are available for purchase on well-known sites.
Even the strongest password could be cracked if it were re-used on a website with poor security – for example if the website stored passwords in plain-text rather than as hashes, or if the website were compromised in some other way.
We can protect our own sites; we can tell users they shouldn’t reuse passwords across sites; we can encourage them to use password management software to generate long (15+ character) random passwords, which will take longer to crack.
But despite all these efforts, realistically a large proportion of users will continue to use relatively weak passwords, and to re-use them across multiple sites.
For anything as important as banking or investments, we need something better than just passwords to authenticate users.
Fortunately, we can do better – as we will cover in the final article.
